Websites have greatly proliferated in recent years. The number of services provided by websites has also grown quite rapidly, to the point that almost any type of service may now be obtained via the Internet. The growth in the number of websites has largely occurred without any concerted effort to integrate the various sites. That is, each website has typically been created and maintained as a standalone site, and has generally not been constructed to interact, cooperate, or share information with other websites. As a result, users generally have to maintain a separate and distinct user account on each website. For example, a user may have one account on a book vending website, another account on a computer system vending website, yet another account on a travel agency website, and so on. Having all of these accounts generally forces the user to remember a user name and password for each account. In addition, because each website is its own standalone site, the user typically has to log in separately to each website to use the services provided thereon. Furthermore, the user generally has to provide the same set of information (e.g. first name, last name, address, etc.) over and over again to the various sites, which can be time consuming and tedious.
In an attempt to enable separate websites to interact and share information with each other (thereby, easing the burden on the user), an organization known as the Liberty Alliance has been formed. The Liberty Alliance is a standards organization that has established a Liberty standard, which governs interaction between various websites. The Liberty standard sets forth standard protocols and schemas that can be used to facilitate such interaction. As it currently stands, the Liberty standard comprises two major aspects: a federation framework and a web services framework.
The federation framework makes it possible to set up a circle of trust among a plurality of websites. Within this circle of trust, account linking can be implemented such that an account on one website can be mapped to an account on another website. With such account linking, it is possible to achieve single sign-on (SSO), whereby a user logs in to an account on just one of the websites within the circle of trust and can thereafter access accounts on other websites within the circle of trust without having to log in to those websites. While the accounts on the various websites are linked, the information in the accounts is not necessarily shared (unless the parties specifically agree to share some or all of the information). Thus, with the federation framework, the information in each account remains private to its associated website.
The web services framework enables information to be easily shared among a plurality of websites. With the web services framework, a user can maintain information in a central repository located at one of the websites, and can direct other websites to consult that central repository to obtain information pertaining to the user. For example, a user can maintain his personal profile information (e.g. name, address, phone number, etc.) at a website A. When the user visits a website B (which may, for example, be a website that sells certain goods), and website B requires certain information about the user (for example, an address to which to ship a purchased item), website B can request the user information from website A. With the web services framework, the user does not have to provide his information to each website that he patronizes.
Often, the information that is shared using the web services framework is very sensitive information, such as for example a user's address, social security number, credit card information, etc. Consequently, ensuring that this information is shared with only the proper parties is a major concern of the framework. For this reason, a web service provider usually implements a security mechanism to authenticate a service requester before allowing the service requester to access the web service. For example, web service A on website A may implement a security mechanism to authenticate website B before it allows website B to access web service A. This helps to ensure that the information provided by a web service is accessed only by authorized parties.
While such a security mechanism provides some desirable security, the security that it provides is at the web service level (i.e. whether the web service can be accessed at all), which is a relatively high level. This in turn means that the protection afforded by the security mechanism is relatively coarse-grained. The coarse-grained nature of this protection does not give an administrator as much control as would be desired in many implementations.